On 3/23/20 5:43 AM, Eric S. Raymond via devel wrote: > Hal Murray <hmur...@megapathdsl.net>: >> We can do several things: >> 1) clean out the ifdefs that make things work with older versions of >> OpenSSL. >> That is drop support for systems that haven't upgraded their OpenSSL to >> a >> supported version. >> 2) leave things alone, ignore the RFC. >> Or maybe add some nasty warning messages >> How long? >> 3) make a configure option to disable NTS so that NTPsec builds on older >> OSes but doesn't support NTS. >> >> I propose option 1. Simple and clean. I don't think we will drop many >> systems. > > I concur.
+1. In the Debian package, I was recommending a minimum of TLS 1.3 anyway, since NTS was by definition greenfield (and CloudFlare was doing the same thing). The export string change is annoying, but that's a risk we all take when running a draft protocol. I guess we'll just eat that in a flag day. It would be nice if that would be the same flag day for switching to the IANA-allocated port (whenever that happens, assuming it isn't 123/tcp), but we probably won't be that lucky. -- Richard
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
